How to identify your ransomware infection to find the right decrypter tool

How would you feel if you opened your computer to find it had been locked with a ransom note demanding cash immediately? Ransomware is the most common online threat of 2016, making up a huge percentage of today’s active threats. It has turned out to be one of the easiest and highest income earners for attackers. All other malware makes its developers money indirectly (by using or selling your computer power), but ransomware directly asks you (the victim) for cash by putting you in a situation in which you feel forced to pay.

The Emsisoft team spends a lot of time looking for ways to prevent ransomware from finding it’s way onto your computer. But, what if your system is already infected? Don’t panic. Downloading various tools to attempt to unlock your system will only make matters worse. If you have ransomware, look no further.

Emsisoft is proud to support Malware Hunter Team, a group of researchers who share our commitment to protecting you and your data.

Malware Hunter Team does a great job of raising awareness of not only online threats themselves, but how to remove them if you find yourself the victim. What does this mean for you? If you find yourself with ransomware, you can identify the strain you have and find out if there is a decryption tool available.

We spoke with Michael Gillespie at Malware Hunter Team, the creator of ID Ransomware, the website that will help you to figure out what kind of ransomware you have been infected with based on the specific signatures that can be found in the ransom note you receive. He walked us through the process of identifying ransomware families.

Who are Malware Hunter Team and what do they/you do?

Malware Hunter Team is basically a small group of security researchers interested in tracking down malware and promoting cyber security. They do a great job of hunting phishing sites and other threats on a daily basis. I recently joined the team with my ransomware research, and have been coordinating with them on tracking and identifying new threats.

I personally coordinate with ransomware victims and try to hunt down new samples, and help with reverse engineering when I can – with the goal of trying to decrypt if at all possible of course.

So, if someone’s computer has been infected with ransomware, what is the first thing they should do?

I would say the first step is definitely quarantining the system – for an organization this may include finding the affected system. The system should be either shutdown, or put in ‘hibernate’ if possible. From there, the threat needs to be identified just like any other malware infection.

And that’s where you guys come in? My understanding is you specialise in working out what type of malware a user has?

Yes. That can sometimes be the tricky part, especially lately with new strains mimicking others, or flying under the radar.

With so many families and new strains, how do you tell them apart? I saw you have 100’s that can be decrypted for free through your site.

That’s the hard part. In general, we’ll classify them by the symptoms – what extension does it use, what ransom note is left, etc. Sometimes we do have to get more technical to recognize if it is the same author based on their coding style, or certain strings left in the malware.

And for a user, for example, they have a ransom lockout screen, they go to your site, what would they need to do? What is the process?

I’ve tried to make ID Ransomware as simple as possible for the user. They simply upload a ransom note left by the malware, and one of their encrypted files (I recommend something not confidential), and the website will use several methods of trying to identify which ransomware it is. If it is a positive match, it will provide an easy status on “can it be decrypted”, since that is the #1 thought to a victim at that time. It then gives a link to more information either way so they can learn more about what hit them, and possibly find how it came in in the first place.

I use a few techniques to identify by the filename of the ransom note, certain known email addresses or BitCoin addresses in the note, the pattern of the encrypted file’s name (e.g. a certain added extension), and even some hex patterns that some ransomware leave in the files. I also have some custom “plugins” for a few more advanced techniques, such as detecting an embedded image in one certain strain.

With the amount of work that goes into it. Why do you offer the service for free?

Part of it is inspiration from other volunteers in the area. I get most of my information from sources such as victims, Twitter, and Emsisoft Malware Lab. Also, I don’t want to hold a ransom on helping someone decrypt their files – that makes me no better than the criminals in some sense. The information itself should be free to all.

It seems like the appearance of ransomware is increasing constantly. What does the future of malware look like in your opinion?

I definitely see it becoming more and more of a threat in all sectors as we are seeing with the Internet of Things, and how insecure devices are found to be from the factory. In just the past year I’ve been involved with this, I’ve seen a lot of adaptations and “creativity”. We have recent ransomware we discovered that mimics a Windows Update while it encrypts, one that also creates a backdoor to the system, one that uploads passwords, etc. Malware authors are bundling more features together into one package it seems.

How should people best protect themselves?

The best protection is definitely awareness of what you are clicking on. Having good anti-malware protection is a great step, but knowing how to use it, and how to not HAVE to use it. I want to bluntly say “common sense” when it comes to what you are doing online and what you are trusting to run on your computer.